Operational resilience is not limited to just business continuity, risk management, and mitigating impact. Significant disruptive events such as the pandemic have highlighted the need for organizations to ensure the continuity of operations by instilling operational resilience in their DNA.
Effective management of risk is largely connected to the integration of people, processes, and technology. It is imperative to identify and control risks that emerge between these layers with a strong strategy combining the latest tools and technologies.
Here are some reasons why it is important to build operational resilience.
Operational incidents can have a massive financial impact and also disturb markets and systems. As per Statista, the global average cost per data breach amounted to 4.35 million US dollars in 2022.
A McKinsey & Company research that studied more than 350 operational risk incidents at financial institutions in the US and Europe found that the initial declines in the total returns to shareholders (TRS) were in line with the actual fines of $23 billion. But in the next 120 days, the TRS declined by a staggering $278 billion, more than 12 times the total actual loss.
In recent years, operational resilience has been a crucial agenda for risk professionals. The global governance, risk, and regulatory (GRC) landscape are rapidly evolving. Businesses are under scrutiny from regulators who are now insisting on GRC disclosures and from institutional investors who have started incorporating ESG among investment criteria. With regulatory focus shifting, regulators want to see how quickly organizations can recover from events.
As of 31 March 2022, the Financial Conduct Authority (FCA) mandated firms to identify their important business services, set impact tolerances, and carry out mapping and testing. The European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA) in 2022, after the initial DORA proposal in 2020.
However, the challenge for organizations is that with the GRC landscape evolving so rapidly, the amount of data being collected and analyzed is huge. In most organizations, risk professionals still rely on manual processes. This is not viable in the long run because the data will keep growing as the world becomes more connected leading to more errors. Business decisions today span continents, jurisdictions, and customer preferences, yet must be taken all in a matter of minutes and even seconds.
Operational resilience programs need to be in line with the overall organization strategy to drive investment decisions. Businesses need direct engagement from the board, front liners, and the extended enterprise.
With the clear need to ensure a proactive approach to risk, here's how to get started.
Here are 5 actionable steps for an Operational Resilience Framework in the modern Governance, Risk, and Compliance (GRC) ecosystem:
As businesses streamline their operational resilience program, they would need to start with identifying key business services which, if affected, could cause significant damage. To effectively do so, they will need to create a map of the organizational hierarchy, business objectives, and supervisory objectives to align them with the organization's risk appetite. Users of each service would need to be identified and engaged with the frontline. All critical insights would need to be aligned in a way that the organization can have the required information to refine strategic initiatives.
Several known and unknown factors are contributing to serious disruptions. Creating forecasts, and pre-empting or mitigating these factors is necessary. During this process, organizations need to set tolerances with full transparency to prioritize investments. This is essential to optimize investment for comprehensive decisions. They will also need to leverage a rational approach to set tolerances. This will help create realistic scenarios to better offer a quick risk analysis.
Organizations function in a volatile environment today. An essential step is to build a relational data framework to map people, processes, systems, and third parties that involve internal and external dependencies. They will need to utilize technology to ensure a single unified view across all vital organizational processes. To get an overview of the roadblocks, it's important to understand how things are connected. The leadership should ensure the company adopts a risk-based approach for third and fourth-party vendors.
While identifying points of failure, it is necessary to look at the real impact on the organization to create a better understanding of the risk appetite. Looking at past failures within and outside of the organization's control will help create operational resilience. Focusing on validating risk scenarios vis-à-vis business objectives by using scenario-based testing using questionnaires, simulations, expert tabletop exercises, etc. is important. Business Continuity Management (BCM) and Disaster Recovery (DM) teams should be deployed. Organizations need to identify weak links by taking employees out of their comfort zone and making them work in unfamiliar situations.
A communication plan is an essential part of the risk management strategy. Organizations should frame their communication plan by understanding key internal and external stakeholders and curating communication plans during a crisis for both. They should also identify key business services and demonstrate to regulators that scenario tests on plausible events have been conducted.
Integrating GRC to efficiently execute the steps mentioned above can prove to be a capable differentiator. Technology offers a scalable platform to build a relational data framework in line with organizational hierarchy and regulatory objectives.
The right GRC platform helps simplify this process by offering a single unified view of risk by seamlessly embedding compliance, cybersecurity, vendor risk management, and business continuity planning. A GRC platform can also help empower front-line managers to capture, report, and track business anomalies, enabling real-time risk reporting.
With tangible insights on risk rating or relevance rating of important services, decision-makers will be able to identify critical economic functions. Leveraging such technology organizations can build and implement a holistic approach to prepare for and prevent potential operational disruptions.
Shankar Bhaskaran, Managing Director – India, MetricStream
Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp
_____________
Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.